TJX was warned of lax security, court papers say

Saturday

Oct 27, 2007 at 2:00 AM

BOSTON — TJX Cos was warned it had inadequate safeguards to protect credit card data the year before hackers broke into the discount retailer's systems and unearthed information from an estimated 100 million credit cards, banks that are suing TJX allege in a court filing.

THE ASSOCIATED PRESS

BOSTON — TJX Cos. was warned it had inadequate safeguards to protect credit card data the year before hackers broke into the discount retailer's systems and unearthed information from an estimated 100 million credit cards, banks that are suing TJX allege in a court filing.

Despite the 2004 warning about compliance with credit card industry standards, TJX failed to fix many of the problems before hackers first broke into the company's systems in July 2005, according to the filing late Thursday in U.S. District Court in Boston.

"This report identified numerous serious deficiencies at TJX, including specifically violations. TJX did not remedy many of these deficiencies," the filing says.

Sherry Lang, a spokeswoman for Framingham, Mass.-based TJX, said, "We will not comment on allegations made against us by the plaintiffs in pending litigation."

TJX, the owner of 2,500 discount stores, recently upgraded its security, and Lang said the company has been certified by an independent assessor as "fully compliant with all" current standards applying to large merchants.

The court filing alleges that after the breach, a consultant found TJX had failed to comply with nine of 12 standards that credit card firms impose on merchants to protect data.

TJX recently said that before the breach, it invested "millions of dollars on computer security, and believes our security was comparable to many major retailers."

The filing does not offer further detail on the 2004 report, titled "Verisign Report of CISP Compliance." It is among a handful of documents sealed in the court case because they contain technical details about TJX's security.

Verisign Inc. is a provider of digital-security services, and CISP refers to Cardholder Information Security Program, standards that Visa established for retailers to protect sensitive data.

An independent security analyst yesterday said TJX failed to adequately respond to the 2004 warning.

"Much of the damage and litigation could have been avoided if the September 2004 report was acted upon with more urgency," said Avivah Litan, of Gartner Inc.

The court filing alleges hackers used TJX's high-speed Internet connection in Massachusetts to transfer massive amounts of data — more than 80 gigabytes — to an Internet site in California. The break-in gave hackers undetected access to TJX's central databases for a year and a half.